4 thoughts on “Honeypot test”

My ubuntu box got infected with the same.
I was playing around with the crontab for root, checking out what it had and I stumbled across the same commands installed as a crontab.

Somehow though, the crontab was corrupted with a line
“s file to introduce tasks to be run by cron.”
which was not commented (could be deliberate).

I’m not touching the crontab file currently because
1) when I try to open it, vim dumps the core and exits. So does nano.
2) I’m hoping this is the same problem the trojan is facing and is not able to use my box as a bot. 😀

Try to purge crontab like this: echo “” > /var/spool/cron/crontabs/root, and recopy your cron rules.
Check if you have the bad binaries installed like /etc/.SSH2 or search if you have a file with the same md5 value of the bad binairies, and remove it.